Understanding the Protections Offered by the HIPAA Privacy Rule

The HIPAA Privacy Rule sets national standards that govern how health information is used and disclosed, and what rights you have over it. This guide explains the core protections, who must comply, and how organizations should implement privacy safeguards while honoring your rights.

National Standards for Protected Health Information

Protected health information (PHI) is individually identifiable health information related to your condition, care, or payment for care. It applies to PHI in any form—paper, verbal, or electronic protected health information (ePHI)—held or transmitted by regulated entities.

PHI excludes certain categories, such as education records covered by FERPA, employment records held by an employer, and de-identified data. De-identified information falls outside HIPAA when identifiers are removed under the Safe Harbor method or when an expert determines the risk of re-identification is very small.

• Examples of PHI include names, addresses, dates tied to care, medical record numbers, device identifiers, and full-face photos.
• A limited data set (with fewer identifiers) may be used for research, public health, or operations with a data use agreement.
• PHI of individuals deceased for more than 50 years is no longer protected PHI.

Covered Entities and Business Associates

Covered entities include health plans, health care clearinghouses, and health care providers that transmit health information electronically in standard transactions. If you work in or interact with these organizations, HIPAA governs how PHI may be used and shared.

Business associates are vendors or partners that create, receive, maintain, or transmit PHI on behalf of covered entities—such as billing services, EHR vendors, cloud hosts, and analytics firms. They must sign business associate agreements and are directly liable for complying with key Privacy Rule requirements.

• Covered entities must ensure business associates implement appropriate privacy safeguards and limit uses to the services contracted.
• Subcontractors that handle PHI are also business associates and need equivalent protections through written agreements.

Administrative and Technical Safeguards

Administrative safeguards under the Privacy Rule

The Privacy Rule requires reasonable administrative safeguards to prevent inappropriate uses or disclosures. Organizations must assign a privacy official, adopt policies and procedures, train the workforce, apply sanctions for violations, and apply the minimum necessary standard for most uses and disclosures.

Role-based access, verification procedures, and processes for receiving complaints and mitigating harmful effects are core components. Documenting decisions—such as what is “minimum necessary” for common tasks—helps ensure consistency.

Technical safeguards for ePHI

While the Security Rule specifically governs ePHI, its technical safeguards complement Privacy Rule obligations. Common controls include unique user IDs and strong authentication, access controls, audit logs, integrity protections, and transmission security (such as encryption in transit and at rest) appropriate to risk.

Risk management and training

Regular risk analysis, updates to system configurations, and continuous workforce training keep privacy safeguards effective as technologies and workflows change. You should periodically review incident response steps to quickly contain and report potential privacy failures.

Permitted Uses and Disclosures of PHI

Uses and disclosures based on individual authorization

When a use or disclosure is not otherwise permitted, a valid individual authorization is required. It must clearly describe the information, purpose, recipient, expiration, and your right to revoke, and it must be signed. Authorizations are also required for most marketing, sale of PHI, and certain disclosures of psychotherapy notes.

Uses and disclosures without authorization

No authorization is needed for treatment, payment, and health care operations. PHI may also be disclosed without authorization for select public interest and benefit purposes when conditions are met.

• Public health activities, health oversight, and certain research (for example, with IRB waiver or a limited data set).
• Judicial and administrative proceedings, law enforcement requests that meet HIPAA criteria, and organ or tissue donation.
• Averting serious threats to health or safety, workers’ compensation, and specialized government functions.

Minimum necessary and incidental disclosures

Except for treatment and certain other situations, you must limit PHI to the minimum necessary to accomplish the purpose. Incidental disclosures may occur despite safeguards, but only if they are a by-product of an otherwise permitted use or disclosure and reasonable protections are in place.

De-identified data

De-identified data is not PHI and may be used or disclosed freely. If you use a limited data set, a data use agreement must specify permitted purposes and safeguards.

Individual Rights Under the Privacy Rule

Right of access

You have the right to access and receive copies of PHI in a designated record set, including electronic copies if the information is maintained electronically. You can request that your records be sent to a third party and receive them in the form and format you request if readily producible.

Right to amend

If you believe information is incorrect or incomplete, you can request an amendment. If denied, you may submit a statement of disagreement to be linked to the record.

Right to an accounting of disclosures

You may request an accounting of certain disclosures made in the prior period, excluding most treatment, payment, and operations disclosures and some other categories.

Right to request restrictions and confidential communications

You can ask a provider to restrict disclosures to a health plan when you pay for an item or service in full out of pocket. You may also request communications by alternative means or at alternative locations to protect your privacy.

Notice of Privacy Practices and complaints

Covered entities must provide a Notice of Privacy Practices describing uses, disclosures, your rights, and how to file a complaint. You have the right to complain without fear of retaliation.

Special Provisions for Reproductive Health Information

The Privacy Rule includes added protections for PHI related to reproductive health care. In general, covered entities and business associates may not use or disclose PHI to investigate or impose liability on individuals or others for seeking, obtaining, providing, or facilitating lawful reproductive health care.

Certain requests—such as from law enforcement, health oversight, or in legal proceedings—require an attestation that PHI will not be used for prohibited purposes. You should implement intake checkpoints to verify the requestor’s purpose, assess whether the care was lawful in the relevant jurisdiction, and document determinations.

• Update policies, workforce training, and intake forms to reflect attestation and verification steps.
• Review business associate agreements to ensure downstream partners honor these restrictions.
• Revise your Notice of Privacy Practices to describe these protections and processes.

Enforcement and Penalties

The HHS Office for Civil Rights (OCR) enforces the Privacy Rule through complaint investigations, compliance reviews, and audits. Matters often resolve through corrective action plans and monitoring; serious or uncorrected violations may lead to civil monetary penalties.

Civil penalties follow tiered levels based on culpability—from reasonable cause to willful neglect—with per-violation amounts and annual caps adjusted for inflation. The Department of Justice may pursue criminal penalties for knowingly obtaining or disclosing PHI, with enhanced penalties for false pretenses or intent to sell or misuse the information.

OCR also brings targeted enforcement actions, including initiatives focused on timely right-of-access compliance. State attorneys general may file civil actions on behalf of residents. While HIPAA does not provide a private right of action, individuals may have remedies under other laws.

FAQs

What types of information does the HIPAA Privacy Rule protect?

The Rule protects protected health information that identifies you and relates to your health, care, or payment for care, in any medium (paper, verbal, or electronic). It excludes de-identified data, education records under FERPA, employment records held by an employer, and PHI for individuals deceased more than 50 years.

How does the Privacy Rule regulate disclosures of PHI?

It permits disclosures without authorization for treatment, payment, and operations and for specific public interest purposes under defined conditions. Other disclosures require your individual authorization, the minimum necessary standard applies to most non-treatment disclosures, and only incidental disclosures are allowed when reasonable safeguards are in place.

What rights do individuals have under the HIPAA Privacy Rule?

You can access and obtain copies of your records (including electronic copies), direct records to a third party, request amendments, receive an accounting of certain disclosures, request restrictions and confidential communications, and receive a clear Notice of Privacy Practices. You may also file a complaint without retaliation.

What are the penalties for noncompliance with the Privacy Rule?

OCR can require corrective actions and impose tiered civil monetary penalties per violation, with caps adjusted for inflation. The Department of Justice may bring criminal cases for knowingly obtaining or disclosing PHI, with higher penalties for false pretenses or intent to sell or misuse PHI. OCR also undertakes enforcement actions targeting systemic noncompliance, such as failure to provide timely access.